/*     */ package com.zimbra.cs.account;
/*     */ 
/*     */ import com.google.common.base.Objects;
/*     */ import com.google.common.base.Objects.ToStringHelper;
/*     */ import com.google.common.collect.Maps;
/*     */ import com.zimbra.common.account.Key.AccountBy;
/*     */ import com.zimbra.common.account.Key.DistributionListBy;
/*     */ import com.zimbra.common.account.Key.DomainBy;
/*     */ import com.zimbra.common.account.ZAttrProvisioning.AdminAccessControlMech;
/*     */ import com.zimbra.common.localconfig.KnownKey;
/*     */ import com.zimbra.common.localconfig.LC;
/*     */ import com.zimbra.common.service.ServiceException;
/*     */ import com.zimbra.common.util.Log;
/*     */ import com.zimbra.common.util.ZimbraLog;
/*     */ import com.zimbra.cs.account.accesscontrol.ACLAccessManager;
/*     */ import com.zimbra.cs.account.accesscontrol.GlobalAccessManager;
/*     */ import com.zimbra.cs.account.accesscontrol.Right;
/*     */ import com.zimbra.cs.account.accesscontrol.Rights.User;
/*     */ import com.zimbra.cs.account.accesscontrol.TargetType;
/*     */ import com.zimbra.cs.util.AccountUtil;
/*     */ import com.zimbra.cs.util.Zimbra;
/*     */ import java.util.HashSet;
/*     */ import java.util.Map;
/*     */ import java.util.Set;
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ public abstract class AccessManager
/*     */ {
/*     */   private static AccessManager sManager;
/*     */   
/*     */   public static AccessManager getInstance()
/*     */   {
/*  43 */     if (sManager == null)
/*     */     {
/*     */ 
/*     */ 
/*     */       try
/*     */       {
/*     */ 
/*  50 */         Config config = Provisioning.getInstance().getConfig();
/*  51 */         String accessManager = config.getAttr("zimbraAdminAccessControlMech");
/*  52 */         if (accessManager != null) {
/*  53 */           ZAttrProvisioning.AdminAccessControlMech am = ZAttrProvisioning.AdminAccessControlMech.fromString(accessManager);
/*  54 */           if (am == ZAttrProvisioning.AdminAccessControlMech.acl) {
/*  55 */             sManager = new ACLAccessManager();
/*  56 */           } else if (am == ZAttrProvisioning.AdminAccessControlMech.global)
/*  57 */             sManager = new GlobalAccessManager();
/*     */         }
/*     */       } catch (ServiceException e) {
/*  60 */         ZimbraLog.account.warn("unable to determine access manager from global config attribute zimbraAdminAccessControlMech, fallback to use LC key " + LC.zimbra_class_accessmanager.key(), e);
/*     */       }
/*     */       
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*  71 */       if (sManager == null) {
/*  72 */         String className = LC.zimbra_class_accessmanager.value();
/*     */         
/*  74 */         if ((className != null) && (!className.equals(""))) {
/*     */           try {
/*  76 */             sManager = (AccessManager)Class.forName(className).newInstance();
/*     */           } catch (Exception e) {
/*  78 */             ZimbraLog.account.error("could not instantiate AccessManager interface of class '" + className + "'; defaulting to DomainAccessManager", e);
/*     */           }
/*     */         }
/*     */       }
/*     */       
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*  87 */       if (sManager == null) {
/*  88 */         sManager = new GlobalAccessManager();
/*     */       }
/*  90 */       if (Zimbra.started()) {
/*  91 */         ZimbraLog.account.info("Initialized access manager: " + sManager.getClass().getCanonicalName());
/*     */       }
/*     */     }
/*     */     
/*  95 */     return sManager;
/*     */   }
/*     */   
/*     */   public abstract boolean isDomainAdminOnly(AuthToken paramAuthToken);
/*     */   
/*     */   public abstract boolean isAdequateAdminAccount(Account paramAccount);
/*     */   
/*     */   public Account getAccount(AuthToken at) throws ServiceException {
/* 103 */     return Provisioning.getInstance().get(Key.AccountBy.id, at.getAccountId(), at);
/*     */   }
/*     */   
/*     */   protected Account getAdminAccount(AuthToken at) throws ServiceException {
/* 107 */     String adminAcctId = at.getAdminAccountId();
/* 108 */     if (adminAcctId == null) {
/* 109 */       return null;
/*     */     }
/* 111 */     return Provisioning.getInstance().get(Key.AccountBy.id, adminAcctId, at);
/*     */   }
/*     */   
/*     */   public Domain getDomain(AuthToken at) throws ServiceException {
/* 115 */     return Provisioning.getInstance().getDomain(getAccount(at));
/*     */   }
/*     */   
/*     */   public abstract boolean canAccessAccount(AuthToken paramAuthToken, Account paramAccount, boolean paramBoolean)
/*     */     throws ServiceException;
/*     */   
/*     */   public abstract boolean canAccessAccount(AuthToken paramAuthToken, Account paramAccount)
/*     */     throws ServiceException;
/*     */   
/*     */   public abstract boolean canAccessAccount(Account paramAccount1, Account paramAccount2, boolean paramBoolean)
/*     */     throws ServiceException;
/*     */   
/*     */   public abstract boolean canAccessAccount(Account paramAccount1, Account paramAccount2)
/*     */     throws ServiceException;
/*     */   
/*     */   public abstract boolean canAccessDomain(AuthToken paramAuthToken, String paramString)
/*     */     throws ServiceException;
/*     */   
/*     */   public abstract boolean canAccessDomain(AuthToken paramAuthToken, Domain paramDomain)
/*     */     throws ServiceException;
/*     */   
/*     */   public abstract boolean canAccessCos(AuthToken paramAuthToken, Cos paramCos)
/*     */     throws ServiceException;
/*     */   
/*     */   public abstract boolean canCreateGroup(AuthToken paramAuthToken, String paramString)
/*     */     throws ServiceException;
/*     */   
/*     */   public abstract boolean canCreateGroup(Account paramAccount, String paramString)
/*     */     throws ServiceException;
/*     */   
/*     */   public abstract boolean canAccessGroup(AuthToken paramAuthToken, Group paramGroup)
/*     */     throws ServiceException;
/*     */   
/*     */   public abstract boolean canAccessGroup(Account paramAccount, Group paramGroup, boolean paramBoolean)
/*     */     throws ServiceException;
/*     */   
/*     */   public abstract boolean canAccessEmail(AuthToken paramAuthToken, String paramString)
/*     */     throws ServiceException;
/*     */   
/*     */   public abstract boolean canModifyMailQuota(AuthToken paramAuthToken, Account paramAccount, long paramLong)
/*     */     throws ServiceException;
/*     */   
/*     */   public boolean allowPrivateAccess(Account authAccount, Account targetAccount, boolean asAdmin) throws ServiceException
/*     */   {
/* 159 */     if ((authAccount != null) && (targetAccount != null)) {
/* 160 */       if (authAccount.getId().equalsIgnoreCase(targetAccount.getId()))
/* 161 */         return true;
/* 162 */       if (canAccessAccount(authAccount, targetAccount, asAdmin))
/* 163 */         return true;
/*     */     }
/* 165 */     return false;
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   protected boolean isParentOf(AuthToken at, Account target)
/*     */     throws ServiceException
/*     */   {
/* 184 */     Account acct = getAccount(at);
/* 185 */     return isParentOf(acct, target);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   protected boolean isParentOf(Account credentials, Account target)
/*     */   {
/* 197 */     Set<String> childAccts = credentials.getMultiAttrSet("zimbraChildAccount");
/* 198 */     String targetId = target.getId();
/*     */     
/* 200 */     if (childAccts.contains(targetId)) {
/* 201 */       return true;
/*     */     }
/* 203 */     return false;
/*     */   }
/*     */   
/*     */   protected void checkDomainStatus(Account acct) throws ServiceException {
/* 207 */     Domain domain = Provisioning.getInstance().getDomain(acct);
/* 208 */     checkDomainStatus(domain);
/*     */   }
/*     */   
/*     */   protected void checkDomainStatus(Group group) throws ServiceException {
/* 212 */     Domain domain = group.getDomain();
/* 213 */     checkDomainStatus(domain);
/*     */   }
/*     */   
/*     */   protected void checkDomainStatus(String domainName) throws ServiceException {
/* 217 */     Domain domain = Provisioning.getInstance().get(Key.DomainBy.name, domainName);
/* 218 */     checkDomainStatus(domain);
/*     */   }
/*     */   
/*     */   public void checkDomainStatus(Domain domain) throws ServiceException {
/* 222 */     if ((domain != null) && (
/* 223 */       (domain.isSuspended()) || (domain.isShutdown()))) {
/* 224 */       throw ServiceException.PERM_DENIED("domain is " + domain.getDomainStatusAsString());
/*     */     }
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */   public abstract boolean canDo(MailTarget paramMailTarget, Entry paramEntry, Right paramRight, boolean paramBoolean);
/*     */   
/*     */ 
/*     */ 
/*     */   public abstract boolean canDo(AuthToken paramAuthToken, Entry paramEntry, Right paramRight, boolean paramBoolean);
/*     */   
/*     */ 
/*     */   public abstract boolean canDo(String paramString, Entry paramEntry, Right paramRight, boolean paramBoolean);
/*     */   
/*     */ 
/*     */   public static abstract interface AttrRightChecker
/*     */   {
/*     */     public abstract boolean allowAttr(String paramString);
/*     */   }
/*     */   
/*     */ 
/*     */   public static class ViaGrant
/*     */   {
/*     */     private ViaGrant mImpl;
/*     */     
/*     */ 
/* 251 */     public void setImpl(ViaGrant impl) { this.mImpl = impl; }
/* 252 */     public String getTargetType() { return this.mImpl == null ? null : this.mImpl.getTargetType(); }
/* 253 */     public String getTargetName() { return this.mImpl == null ? null : this.mImpl.getTargetName(); }
/* 254 */     public String getGranteeType() { return this.mImpl == null ? null : this.mImpl.getGranteeType(); }
/* 255 */     public String getGranteeName() { return this.mImpl == null ? null : this.mImpl.getGranteeName(); }
/* 256 */     public String getRight() { return this.mImpl == null ? null : this.mImpl.getRight(); }
/* 257 */     public boolean isNegativeGrant() { return this.mImpl == null ? false : this.mImpl.isNegativeGrant(); }
/*     */     
/* 259 */     public boolean available() { return this.mImpl != null; }
/*     */     
/*     */     public String toString()
/*     */     {
/* 263 */       if (this.mImpl == null) {
/* 264 */         return Objects.toStringHelper(this).toString();
/*     */       }
/* 266 */       return Objects.toStringHelper(this).add("targetType", this.mImpl.getTargetType()).add("targetName", this.mImpl.getTargetName()).add("granteeType", this.mImpl.getGranteeType()).add("granteeName", this.mImpl.getGranteeName()).add("right", this.mImpl.getRight()).add("negativeGrant", this.mImpl.isNegativeGrant()).toString();
/*     */     }
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   public boolean canDo(MailTarget grantee, Entry target, Right rightNeeded, boolean asAdmin, ViaGrant viaGrant)
/*     */     throws ServiceException
/*     */   {
/* 278 */     return canDo(grantee, target, rightNeeded, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canDo(AuthToken grantee, Entry target, Right rightNeeded, boolean asAdmin, ViaGrant viaGrant) throws ServiceException
/*     */   {
/* 283 */     return canDo(grantee, target, rightNeeded, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canDo(String granteeEmail, Entry target, Right rightNeeded, boolean asAdmin, ViaGrant viaGrant) throws ServiceException
/*     */   {
/* 288 */     return canDo(granteeEmail, target, rightNeeded, asAdmin);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   public abstract boolean canGetAttrs(Account paramAccount, Entry paramEntry, Set<String> paramSet, boolean paramBoolean)
/*     */     throws ServiceException;
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   public abstract boolean canGetAttrs(AuthToken paramAuthToken, Entry paramEntry, Set<String> paramSet, boolean paramBoolean)
/*     */     throws ServiceException;
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   public AttrRightChecker getGetAttrsChecker(Account credentials, Entry target, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 330 */     throw ServiceException.FAILURE("not supported", null);
/*     */   }
/*     */   
/*     */   public AttrRightChecker getGetAttrsChecker(AuthToken credentials, Entry target, boolean asAdmin) throws ServiceException
/*     */   {
/* 335 */     throw ServiceException.FAILURE("not supported", null);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   public abstract boolean canSetAttrs(Account paramAccount, Entry paramEntry, Set<String> paramSet, boolean paramBoolean)
/*     */     throws ServiceException;
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   public abstract boolean canSetAttrs(AuthToken paramAuthToken, Entry paramEntry, Set<String> paramSet, boolean paramBoolean)
/*     */     throws ServiceException;
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   public abstract boolean canSetAttrs(Account paramAccount, Entry paramEntry, Map<String, Object> paramMap, boolean paramBoolean)
/*     */     throws ServiceException;
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   public abstract boolean canSetAttrs(AuthToken paramAuthToken, Entry paramEntry, Map<String, Object> paramMap, boolean paramBoolean)
/*     */     throws ServiceException;
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   public boolean canSetAttrsOnCreate(Account credentials, TargetType targetType, String entryName, Map<String, Object> attrs, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 377 */     throw ServiceException.FAILURE("not supported", null);
/*     */   }
/*     */   
/*     */   public Map<Right, Set<Entry>> discoverUserRights(Account credentials, Set<Right> rights, boolean onMaster) throws ServiceException
/*     */   {
/* 382 */     return Maps.newHashMap();
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */   public boolean canPerform(MailTarget credentials, Entry target, Right rightNeeded, boolean canDelegate, Map<String, Object> attrs, boolean asAdmin, ViaGrant viaGrant)
/*     */     throws ServiceException
/*     */   {
/* 390 */     throw ServiceException.FAILURE("not supported", null);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */   public boolean canPerform(AuthToken credentials, Entry target, Right rightNeeded, boolean canDelegate, Map<String, Object> attrs, boolean asAdmin, ViaGrant viaGrant)
/*     */     throws ServiceException
/*     */   {
/* 398 */     throw ServiceException.FAILURE("not supported", null);
/*     */   }
/*     */   
/*     */   public boolean canSendAs(Account grantee, Account targetAccount, String targetAddress, boolean asAdmin) throws ServiceException
/*     */   {
/* 403 */     return canSendInternal(grantee, targetAccount, targetAddress, Rights.User.R_sendAs, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canSendOnBehalfOf(Account grantee, Account targetAccount, String targetAddress, boolean asAdmin) throws ServiceException
/*     */   {
/* 408 */     return canSendInternal(grantee, targetAccount, targetAddress, Rights.User.R_sendOnBehalfOf, asAdmin);
/*     */   }
/*     */   
/*     */   private boolean canSendInternal(Account grantee, Account targetAccount, String targetAddress, Right sendRight, boolean asAdmin) throws ServiceException
/*     */   {
/* 413 */     boolean allowed = false;
/*     */     Right dlSendRight;
/* 415 */     if (Rights.User.R_sendAs.equals(sendRight)) {
/* 416 */       dlSendRight = Rights.User.R_sendAsDistList; } else { Right dlSendRight;
/* 417 */       if (Rights.User.R_sendOnBehalfOf.equals(sendRight)) {
/* 418 */         dlSendRight = Rights.User.R_sendOnBehalfOfDistList;
/*     */       } else
/* 420 */         throw ServiceException.FAILURE("invalid send right " + sendRight, null); }
/*     */     Right dlSendRight;
/* 422 */     NamedEntry target = null;
/* 423 */     if (AccountUtil.addressHasInternalDomain(targetAddress))
/*     */     {
/* 425 */       Provisioning prov = Provisioning.getInstance();
/* 426 */       if (prov.isDistributionList(targetAddress)) {
/* 427 */         target = prov.getGroupBasic(Key.DistributionListBy.name, targetAddress);
/* 428 */         sendRight = dlSendRight;
/*     */       } else {
/* 430 */         target = prov.get(Key.AccountBy.name, targetAddress);
/*     */       }
/* 432 */     } else if (targetAccount != null)
/*     */     {
/* 434 */       Set<String> addrs = new HashSet();
/* 435 */       String[] allowedFromAddrs = targetAccount.getMultiAttr("zimbraAllowFromAddress");
/* 436 */       for (String addr : allowedFromAddrs) {
/* 437 */         addrs.add(addr.toLowerCase());
/*     */       }
/* 439 */       if (addrs.contains(targetAddress.toLowerCase())) {
/* 440 */         target = targetAccount;
/*     */       }
/*     */     }
/* 443 */     if (target != null) {
/* 444 */       allowed = canDo(grantee, target, sendRight, asAdmin);
/* 445 */       if ((allowed) && (!asAdmin))
/*     */       {
/*     */ 
/* 448 */         allowed = AccountUtil.isAllowedSendAddress(target, targetAddress);
/*     */       }
/*     */     }
/* 451 */     return allowed;
/*     */   }
/*     */ }


/* Location:              /home/mint/zimbrastore.jar!/com/zimbra/cs/account/AccessManager.class
 * Java compiler version: 7 (51.0)
 * JD-Core Version:       0.7.1
 */